Tools used:
- VirusTotal.com
- PEview
- PEiD
- Dependency Walker
- Malcode Analyst Pack
- Resource Hacker
Questions
1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
No indication from PEview
3. When was this program compiled?
4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
ADVAPI32.DLL
- The program does something with permissions.
KERNEL32.DLL
Loads data from
- LoadResource
- FindResourceA
- SizeofResource
Writes a file to disk
- CreateFileA
- WriteFile
Executes the file
- WinExec
5. What host- or network-based indicators could be used to identify this malware on infected machines?
Use the strings program
- The malware does some kind of action to \system32\wupdmgrd.exe.
- Connects back to http://www.practicalmalwareanalysis.com/updater.exe
6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
Use Resource Hacked to analyze the file.
Head to action and save as binary file and open the file in PEview.
This exe access to the network functions. It calls URLDownloadToFile and WinExec that executes the file.
Persecure : my learning archive 